Talos Vulnerability Report

TALOS-2018-0597

July 10, 2018

CVE Number

CVE-2018-3930

Summary

An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312).
A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the vbgetfp method.

Tested Versions

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

This vulnerability is present in the Antenna House Office Server Document Converter which is used as a document converter in many server enterprise solutions.
It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats.
There is a vulnerability in the conversion process of a Microsoft Word (DOC) to PDF, JPEG and several other formats. A specially crafted Microsoft Word (DOC) file can lead to heap corruption and remote code execution.
Let’s investigate this vulnerability. After we attempt to convert a malicious Microsoft Word (doc) using the OSDC library, we see the following state:

with constant size 512 bytes (0x200). Next, 512 bytes are ready directly from the file and copied into buffer at lines 27 and 31. The last byte (line 21) is used as a limit for the amount of iterations for a loop where the data from a buffer is copied to dstBuffer buffer. During each iteration, 64 (0x40) bytes are copied. There is no check whether value of amountToCopy>>4 is bigger than 0x200 / 0x40 = 8 .
For all values of amountToCopy in the range of 144-255, an out-of-bounds write will occur, causing memory corruption. As a result, the attacker has the possibility to corrupt memory, potentially resulting in arbitrary remote code execution.